Good afternoon all,
I just had a quick question regarding exclusions or drops in logstash.
I know you can drop specific messages on the input or output in logstash.
I'm wondering what the best practice is for large lists of exclusions? Is there a way to do an include of a list of exclusion statements from an external file, or would you put them all in the syslog input/elasticsearch output?
I.E. if you want to drop messages that contain 1234 you could use:
if "1234" in [message] { drop { } }
Can you put a bunch of these in a file, then have logstash include that file as a statement in the input/output?
I.E. include => /file/of/drops
My scenario is If I have a syslog/beat client that is particularly noisy is it best practice to add lots of these exclusions, or do people typically do this elsewhere?
Thanks!
Chris